DevSecOps Initiative Epic 5: Container Security

[godfreykutumela]

Context:

Mojaloop delivery model is containerized based and can also fall prey to security vulnerabilities of various kinds, including bugs, inadequate authentication and authorization, and misconfiguration. Furthermore, containerized applications tend to be complex, comprising many discrete components that communicate with one another over a network.

As a result, the total attack surface of the container environment is large and complex, with potential trouble spots due to multiple layers of a collapsed infrastructure and application architecture hence the need to have a special focus epic for this. All the new container security tools to be adopted must fully support automation and integration into the CI\CD pipeline environment – CircleCI.

Objectives:

• Perform a high-level container risks analysis and define the requirements for container security. • Review and improve all existing container security initiatives and identity gaps for improvement to attain quick wins. • Evaluate and adopt more open source container security tools to close any existing gaps. • Document and communicate container security standards and enforce community wide adoption.

Stories:

1. Perform a container risks analysis and define the requirements for container security – Godfrey
2. Review and improve all existing container security initiatives (e.g. Anchore Cloud etc...) – Lewis, Victor & Godfrey
3. Evaluate more open source container security tools – This will be major focus area until next PI Meeting – Godfrey and Victor
4. Define and document the following: - Godfrey & Victor a. Tool usage guides b. Container Security rules and policies per section of the code and based on the security\compliance requirements to be defined. c. Exception handling d. CI\CD integration workflows e. Monitoring and reporting procedures

[lewisdaly]

Closing this Epic in favour of unified DevSecOps epic: https://github.com/mojaloop/project/issues/1213